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Abstract We propose a coin-flip protocol which yields a string of strong, 
random coins and is fully simulatable against poly-sized quantum adver- 
saries on both sides. It can be implemented with quantum-computational 
security without any set-up assumptions, since our construction only as- 
sumes mixed commitment schemes which we show how to construct in 
the given setting. We then show that the interactive generation of random 
coins at the beginning or during outer protocols allows for quantum- 
secure realizations of classical schemes, again without any set-up as- 
sumptions. As example applications we discuss quantum zero-knowledge 
proofs of knowledge and quantum-secure two-party function evaluation. 
Both applications assume only fully simulatable coin-flipping and mixed 
commitments. Since our framework allows to construct fully simulat- 
able coin-flipping from mixed commitments, this in particular shows that 
mixed commitments are complete for quantum-secure two-party function 
evaluation. This seems to be the first completeness result for quantum- 
secure two-party function evaluation from a generic assumption. 

1 Introduction 

True randomness is a crucial ingredient in many cryptographic applications. 
Therefore, secure coin-flipping is an essential primitive, which allows two parties 
to agree on a uniformly random bit in a fair way, such that neither party can 
influence the value of the coin to his advantage. We investigate coin-flip proto- 
cols with classical messages exchange but where the adversary is assumed to be 
capable of quantum computing. Security of cryptographic protocols in the quan- 
tum world means, of course, that quantum computation does not jeopardize the 
assumption, underlying the protocol construction. However, we encounter addi- 
tional setbacks in the security proofs, which are mostly due to the fact that some 
well-known classical proof techniques cannot be applied in a quantum environ- 
ment. 

Our Contribution. We aim at establishing coin-flipping as a stand-alone tool 
in a model without any setup assumptions. As such, our protocol can be used in 
several contexts and different generic constructions. One notable application is 
as subroutine for realizing the theoretical assumption of the common-random- 
string-model (CRS-model). 1 Since the generation of a CRS often significantly 



1 In the CRS-model the parties are provided with a public common random string 
CRS before communication, taken from the uniform distribution. 



simplifies the design of (quantum-secure) protocols, this then implies that var- 
ious interesting applications can be implemented quantum-securely in a simple 
manner from scratch. 

In more detail, we first investigate different degrees of security that a coin- 
flip protocol can acquire. Then, we propose and prove constructions that allow 
us to amplify the respective degrees of security such that weaker coins are con- 
verted into very strong ones. 2 The amplification only requires mixed commit- 
ment schemes, which we know how to construct with quantum security under 
reasonable assumptions — for instance, based on the quantum hardness of the 
learning with error problem. Combining our amplification protocols allows to 
take a very weak notion of coin-flipping and amplify it to a coin-flip protocol 
which is fully simulatable against poly-sized quantum adversaries. By fully simu- 
latable we mean that both sides can be simulated in quantum polynomial time. 

Our amplification framework should also be understood as a step towards 
fully simulatable constant-round coin-flipping. To the best of our knowledge, 
to date there does not exist any fully simulatable protocol which is constant- 
round and which allows to generate a long random bit-string. In particular, no 
fully simulatable constant-round coin-flip protocol is known to securely compose 
in parallel. Since all our amplification protocols work in constant-round, we 
show that if there exists a constant-round coin-flip protocol of long strings with 
weak security, then there also exists a constant-round coin-flip protocol of long 
strings which is fully simulatable. Even though our work leaves fully simulatable 
constant-round coin-flipping of long strings as a fascinating open problem, we 
consider it a contribution in itself to define a reasonably weak but sufficient 
security notion to realize fully simulatable constant-round coin-flipping of long 
strings. 

Related Work. The standard coin- flip protocol of [2] was proven secure in a 
quantum environment in previous work [7] . In its basic form this protocol yields 
one coin as output. Of greater importance, however, is flipping a string of coins 
instead of a bit, in particular, when generating a CRS. The basic construction 
composes in sequence with security classified as medium in our framework here. 
Parallel composition is possible using an extended construction providing effi- 
cient simulations on both sides. This extension, however, requires a CRS as initial 
assumption, i.e. the CRS-modcl, and hence, violates our strong requirement of 
applications, implementable quantum-securely without any set-up assumptions. 

As an example application, we discussed in [7] the generation of a CRS in 
the context of e.g. a quantum zero-knowledge proof. For an overview and more 
details, see also [14]. To further show the implications of coin- flipping as an im- 
plementation of the CRS-model in the quantum setting, we here add the func- 
tionalities of a quantum zero- knowledge proof of knowledge and quantum-secure 
function evaluation. We want to mention the following related work. First, an 
alternative approach in the context of zero-knowledge was independently inves- 

2 For clarity, we note that we use the intuitive interpretation of "weak" and "strong" 
coins related to their security degrees, which differs from the definitions in the quan- 
tum literature. 
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tigated by Smith [17]. There, coin-flipping is implemented by a string commit- 
ment with special openings and validated in subsequent zero-knowledge proofs 
in sequence, and which therefore has round complexity depending on the secu- 
rity parameter, i.e. how many proofs must be completed to achieve a negligible 
soundness error. The coin-string is used as key to encode the witness and more 
zero-knowledge proofs are given to prove that. As encryption scheme, they sug- 
gest a scheme with similar properties as in the standard construction for mixed 
commitments [4,5,8]. To the best of our knowledge, the question of its actual 
secure implementation was left open, and a formal description and analysis was 
never published. Second, we want to mention the concurrent and independent 
work of Hallgren, Smith, and Song, as sketched in [12]. They also prove, among 
other things, classical protocols for zero-knowledge proofs of knowledge and func- 
tion evaluation secure in the quantum setting by proposing a composition theo- 
rem that allows to use the basic coin- flipping protocol in [7] to generate a CRS. 
In addition, they give a UC-secure protocol for said tasks in the CRS-model. 

Furthermore, the techniques used in our reductions are inspired by techniques 
used by works in the UC framework (cf. [8]), where rewinding is also a problem. 
But to the best of our knowledge, all our reductions are novel, and might be also 
of classical interest. 

Security in the Quantum World. It is well known that bit commitments 
imply a single coin-flip — in the classical as in the quantum world [2, 7] — in a 
straightforward way: Alice chooses a random bit a and commits to it, Bob then 
sends his bit b in plain, then the commitment is opened, and the resulting coin 
is a © b. However, even when basing the embedded commitment scheme on 
a computational assumption that withstands quantum attacks (for the hiding 
property), the security proof of the outer coin- flipping (and its integration into 
other applications) cannot easily be translated from the classical to the quantum 
world. Typically, security against a classical adversary is argued in this context 
by rewinding the adversary in a simulation. In brief, it is shown that a run of a 
protocol between a dishonest Bob and honest Alice can be efficiently simulated 
without interacting with Alice but with a simulator instead. A simulator basically 
prepares a valid conversation and tries it on dishonest Bob. Now, in case Bob 
does not send the expected reply, we need the possibility to rewind him. Then 
to conclude the proof, we have to show that the expected running time of the 
simulation is polynomial. 

Unfortunately, rewinding as a proof technique can generally not be directly 
applied in the quantum world, i.e., if the dishonest machine is a quantum com- 
puter. First, we cannot trivially copy and store an intermediate state of a quan- 
tum system, and second, quantum measurements are in general irreversible. In 
order to produce a classical transcript, the simulator would have to partially 
measure the quantum system without copying it beforehand, but then it would 
become impossible to reconstruct all information necessary for correct rewind- 
ing [11]. It is worth mentioning though that rewinding in the quantum world 
is possible in a limited setting, as shown by Watrous [18]. This technique was 
also used for proving the quantum security of single coin-flipping based on bit 
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commitments [7]. However, the generation of a string of coin must be based on 
string commitments. In this setting, the simulator cannot rewind in poly-time. A 
possible solutions for simulating against a classical Bob is then to let him commit 
to his message in a way which allows to extract the message in the simulation. 
Therewith, the message is known to the simulator in any following iteration of 
rewinding. This technique seems to be doomed to fail in the quantum realm, since 
it is neither known how to rewind quantumly for string commitments nor can 
any intermediate status (such as Bob's commitment) be preserved. Moreover, 
commitment constructions providing flavors of extractability without rewinding 
require some stronger set-up assumptions. Thus, other techniques such as our 
method based on mixed commitments, are needed for solutions in this context. 
Applications. Even though we establish coin- flipping as a stand-alone tool, we 
highlight again that the generation of a CRS leads to a simple and quantum- 
secure implementation of various interesting applications without any set-up 
assumptions. We show two different example applications, in addition to the 
functionalities already discussed in [7]. First, we propose a quantum- secure zero- 
knowledge proof of knowledge based on a witness encoding scheme, which we 
define such that it provides a certain degree of extractability and simulatabil- 
ity in the quantum world. Our zero-knowledge construction only requires mixed 
commitments, which can be implemented with quantum security. This is of par- 
ticular interest, as the problems of rewinding in the quantum realm complicate 
implementing proofs of knowledge from scratch. And second, we show that mixed 
commitment schemes are sufficient for quantum-secure function evaluation of any 
classical poly-time function / with security against active quantum adversaries. 
In more detail, we first show that mixed commitments imply an oblivious trans- 
fer protocol with passive security. From that it is straightforward to construct a 
protocol for any classical poly-time function with security against passive quan- 
tum adversaries [13]. As our main result in that context, we then propose a 
quantum-secure implementation for evaluating any such function with security 
against active quantum adversaries. 

2 Preliminaries 

Notation. We use negl(n) to denote the set of negligible functions (in n). 
For a bit-string x G {0, 1}™ and a subset S C {1, . . . ,n} of size s, we define 
x\s S {0, 1} S to be the restriction (xi) ieS . The probability of event E is denoted 
by Pr [E] . For a random variable X we use Px to denote the distribution of 
A, and for an additional random variable Y we use Px\y to denote the con- 
ditional distribution of X given Y. Statistical indistinguishability of families of 
classical random variables is denoted by «, and w indicates quantum poly-time 
indistinguishability of families of random variables, i.e., the families cannot be 
distinguished by poly-sized families of quantum circuits. 

Definition of Security. We are interested in classical two-party protocols se- 
cure in a quantum world. We work in the security framework, introduced in [9] 
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and extended in [4]. The definitions are proposed for quantum protocols that 
implement classical non-reactive two-party functionalities, meaning that in- and 
output must be classical. The framework allows functionalities which behave dif- 
ferently in case of a dishonest player, and it is further shown that any protocol 
in the framework composes sequentially in a classical environment, i.e. within an 
outer classical protocol. For the sake of simplicity, the framework does not assume 
additional entities such as e.g. an environment. The original security definitions 
for unconditional security [9] are phrased in simple information-theoretic con- 
ditions, depending on the functionality, which implies strong simulation-based 
security. In [4] , it is then shown that computational security (in the CRS-model) 
can be defined similarly. In the following, we state the formalism essential for 
this work. 3 For more details on the framework and notation, we refer to [4,6,9], 
and to [14] for an overview. 

Our protocols run between players Alice (A) and Bob (B) and all definitions 
are given in the two-world paradigm of simulation-based proofs. The real world 
captures the actual protocol 77, consisting of message exchange between the 
parties and local computations. Real-world players are denoted by honest A, B 
and are restricted to poly-time classical strategies. Dishonest players A', B' are 
allowed any quantum poly-time strategy. Formally, let *}3 denote the set of poly- 
size quantum circuits, so we assume that A', B' G The ideal functionality T 
models the intended behavior of the protocol in the ideal world, where the players 
interact using T . Honest and dishonest players in the ideal world (a.k.a. sim- 
ulators) are denoted by A, B and A', B', respectively. An honest player simply 
forwards messages to and from T , dishonest players are allowed to change their 
messages. Again A', B' e Now, the input-output behavior of T defines the 
required input-output behavior of 77. Intuitively, if the executions are indistin- 
guishable, security of the protocol in real life follows. In other words, a dishonest 
real-world player that attacks protocol 77 cannot achieve (significantly) more 
than an ideal-world adversary that attacks the corresponding functionality T. 

The common input state puv = Y] lt v Puv{ u i v )\ u ){ u \ ® \ v ){ v \ f° r some prob- 
ability distribution Pjjv is classical, and we understand U, V as random input 
variables (for Alice and Bob, respectively). The same holds for the classical 
output state pxy with output X, Y for Alice respectively Bob. The input- 
output behavior of the protocol is uniquely determined by Pxy\uvi an d we 
write II(U,V) = (X, Y). Then, a general classical ideal functionality T is given 
by a conditional probability distribution Pj^(u,v)\uv with J-(U,V) denoting the 
ideal-world execution, where the players forward their inputs U, V to T and 
output whatever they obtain from T . 

Definition 1 (Correctness). A protocol 1J(U,V) = (X, Y) correctly imple- 
ments an ideal classical functionality T , if for every distribution of the input 
values U and V, the resulting common output (X, Y) satisfies (U,V,X,Y) w 
(U,V,T(U,V)). 



3 Note that we use a simplified joint output representation in comparison to [9]. 
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We now define computational security against dishonest Alice, the definitions 
for dishonest Bob are analogue. Let Z and U' denote dishonest Alice's classical 
and quantum information. We consider a poly-size quantum circuit, called input 
sampler, which takes as input the security parameter and produces the input 
state pu'zv- We require from the input sampler that any pu'zv is restricted to 
be of form pu'^z^v = J2 Z v Pzv{z, v)\z){z\ ® \v){v\ ® p z v , (see [6] for notational 
details), where it holds that 4 pfj, — p^?. This expresses conditional indepen- 
dence, namely that Bob's classical V is independent of Alice's quantum part V 
when given Z. In other words, Alice's quantum part U' is correlated with Bob's 
part only via her classical Z. 

Definition 2 (Computational security against dishonest Alice). A pro- 
tocol II implements an ideal classical functionality T computationally securely 
against dishonest Alice, if for any real-world adversary A' G there exists an 
ideal-world adversary A' G such that, for any efficient input sampler with 
Pwzv = Pw^z^v, it holds that the outputs are quantum- computationally in- 
distinguishable, i.e., out^, B w out? g . 

We state these output states explicitly as outjf, B = pux'ZY and out?, - = 
Pux'^z^y, which shows that Alice's possibilities in the ideal world are limited: 
She can produce some classical input U for T from her quantum input state 
U' , and then she can obtain a quantum state X' by locally processing U and 
possibly J"'s classical reply X. 



3 Security Notions for Coin-Flipping 

We denote a generic protocol with a A-bit coin-string as output by i7^g CDIN , 
corresponding to an ideal functionality -Fa-coin- The outcome of such a protocol 
is c G {0, 1} A U{±}, i.e., either an A-bit-string or an error message. We use several 
security parameters, indicating the length of coin-strings for different purposes; 
the length of a coin- flip yielding a key or a challenge are denoted by k or a, 
respectively. The ideal functionality for coin-flipping is defined symmetric such 
that always the respective dishonest party has an option to abort. We state the 
ideal functionalities in the case of both players being honest and in the case of 
dishonest Alice and honest Bob (Fig. I). Note that the latter then also applies 
to honest Alice and dishonest Bob by simply switching sides and names. 

Recall that the joint output representation of a protocol execution is denoted 
by out^ B (with 77 = n^Q Com ) and given here for the case of honest players. The 

same notation with T = .Fa-coin and A, B applies in the ideal world as ou ^g: 
where the players invoke the ideal functionality .Fa-coin and output whatever 

4 p% denotes a state in register E, depending on value x G X of random variable X 
over X with distribution Px- Then, from the view of an observer, who holds register 
E but does not know X, the system is in state pE = ^2 xex Px(x)p E , where ps 
depends on X in the sense that E is in state p% exactly if X = x. 
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Functionality .Fa-coin with honest players: 

Upon receiving requests start from both Alice and Bob, Fa-coin outputs 
uniformly random h €r {0, 1} A to Alice and Bob. 

Functionality Fa-coin with dishonest Alice: 

1. Upon receiving requests start from both Alice and Bob, Fa-coin outputs 
uniformly random h €r {0, 1} A to Alice. 

2. It then waits to receive her second input T or 1 and outputs h or _L to Bob, 
respectively. 

Figure 1. The Ideal Functionality for A- bit Coin-Flipping. 

they obtain from it. We need an additional notation here, describing the outcome 
of a protocol run between e.g. honest A and B, namely c <— ff fl A B C01 ". 

We will define three flavors of security for coin-flip protocols, namely un- 
controllable (uncont), random and enforceable (force). The two sides can have 
different flavors. Then, if a protocol /I fl A g C01 " is, for instance, enforceable against 
Alice and random against Bob, we write 7r ( force > random ) j anc j similarly for the 
eight other combinations of security. Note that for simplicity of notation, we will 
then omit the indexed name as well as the length of the coin, as they are clear 
from the context. Again, we define all three flavors for Alice's side only, as the 
definitions for Bob are analogue. Recall that U' and Z resp. V denote dishon- 
est Alice's quantum and classical input resp. honest Bob's classical input. As 
before, we assume a poly-size input sampler, which takes as input the security 
parameter, and produces a valid input state pwzv = Pu'^z^v- Note that an 
honest player's input is empty but models the invocation start. We stress that 
we require for all three security flavors and for all c G {0, 1} A that 

Pr [c <- 7T A A B C0IN ] = 2- A , 

which implies that when both parties are honest, then the coin is unbiased. 
Below we only define the extra properties required for each of the three flavors. 

We call a coin-flip uncontrollable against Alice, if she cannot force the coin 
to hit some negligible subset, except with negligible probability. 

Definition 3 (Uncontrollability against dishonest Alice). We say that 
protocol n^Q 00 ™ implements an uncontrollable coin-flip against dishonest Alice, 
if it holds for any poly-sized adversary A' G with inputs as specified above and 
all negligible subsets Q C {0, 1} A that 

Pr [c <- i7 A A r B CDIN : ceQ}£ negl (k) . 

Note that we denote by Q C {0, 1} A a family of subsets {Q(k) C {0, 1} a(k) } kGN 
for security parameter k. Then we call Q negligible, if \Q(k)\2' x ^ is negligible 
in k. In other words, we call a subset negligible, if it contains a negligible fraction 
of the elements in the set in which it lives. 
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We call a coin-flip random against Alice, if she cannot enforce a non-uniformly 
random output string in {0, 1} A , except by making the protocol fail on some 
chosen runs. That means she can at most lower the probability of certain output 
strings compared to the uniform case. 

Definition 4 (Randomness against dishonest Alice). We say that protocol 
Jl^g™ 1 " implements a random coin-flip against dishonest Alice, if it holds for 
any poly-sized adversary A' e *P with inputs as specified above that there exists 
an event E such that Pr [E] £ negl (k) and for all x £ {0, 1} A it holds that 

Pr [c 4r- iT A A r B C0IN : c = x\E]<2- x . 

It is obvious that if a coin-flip is random against Alice, then it is also an un- 
controllable coin-flip against her. We will later discuss a generic transformation 
going in the other direction from uncontrollable to random coin-flipping. 

We call a coin-flip enforceable against Alice, if it is possible, given a uniformly 
random c, to simulate a run of the protocol hitting exactly the outcome c, though 
we still allow that the corrupted party forces abort on some outcomes. 5 

Definition 5 (Enforceability against dishonest Alice). We call protocol 
77y^g C0IN enforceable against dishonest Alice, if it implements the ideal function- 
ality .Fa-coin against her. 

That means that for any poly-sized adversary A' £ *P, there exists an ideal-world 
adversary A' £ that simulates the protocol with A' as follows. A' requests 
output h £ {0, 1} A from Fa-coin- Then it simulates a run of the coin-flip protocol 
with A' and tries to enforce output h. If A' succeeds, it inputs T as A"s second 
input to Fa-coin- I n that case, F\_coin outputs h. Otherwise, A' inputs _L to 
Fa-coin as second input and Fa-coin outputs _L. In addition, the simulation is 
such that the ideal output is quantum-computationally indistinguishable from 
the output of an actual run of the protocol, i.e., out%, B w out?, g, where 77 = 

77 A A r B C0IN and F = Fa -coin- Enforceability against dishonest Bob is analogously 
defined. Corollary 1 follows. 

Corollary 1. 7/77 A A B C0IN £ n (force,force) t L& j it is en f orcea M e against both dis- 
honest Alice and dishonest Bob, then 77 A X g C0IN is a secure implementation of 
Fa-coin, according to Definition 2. 

4 Mixed Commitments 

We use mixed commitment schemes throughout our constructions — they will 
indeed be our only computational assumption. Mixed commitment are uncon- 
ditionally hiding for some public keys and unconditionally binding for others. 

5 Note that an enforceable coin-flip is not necessarily a random coin- flip, as it is 
allowed that the outcome of an enforceable coin-flip is only quantum-computationally 
indistinguishable from uniformly random, whereas a random coin-flip is required to 
produce truly random outcomes on the non-aborting runs. 
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In the following, we introduce mixed commitments, denoted by commitpfc, more 
formally. We also describe a construction of an interactive commitment protocol 
CDMMITpfc with mixcd-commitment-scheme-like properties. The reason for pre- 
senting the protocol here is to simplify the description of the later protocol in 
which it is used as a subprotocol. 

4.1 Mixed Commitment Schemes 

Mixed commitment schemes consists of four poly-time algorithms Gr, Qb, commit, 
and xtr. The unconditionally hiding key generator Gh outputs public keys pk £ 
{0, 1} K . 6 The unconditionally binding key generator Gb outputs key pairs (pk, sk), 
where pk £ {0, 1} K and where sk is the secret key. The commitment algorithm 
takes as input a message m, a randomizer r and a public key pk and outputs a 
commitment C = commit p k (to, r) . The extraction algorithm xtr takes as input 
a commitment C and a secret key sk and outputs a message to', meant to be 
the message committed by C. We require the following properties: 

Unconditionally hiding: For keys pk generated by Gh it holds that commit p fc 
is statistically hiding, i.e. (pk, commit p k (mi,r\) ) « (pk, commit p k (to 2 , r 2 ) ) for 
all toi, m 2 when n and r 2 are uniformly random and independent. 
Extractability: It holds for all pairs (pk, sk) generated by Gb and for all values 
m, r that xtr s fc (commit p k (to, r) ) = m. 

Key indistinguishability: A random public key pk\ generated by Gb and a 
random public key pfc 2 generated by Gh are indistinguishable by poly-sized quan- 
tum circuits, i.e., pk\ «pfc 2 . 

We additionally require that random public keys generated by Gh are sta- 
tistically close to uniform in {0, 1} K , i.e., almost all keys are unconditionally 
hiding. 7 

As a candidate for instantiating our definition we can, for instance, take the 
lattice-based public-key encryption scheme of Regev [16] in its multi-bit vari- 
ant as given in the full version of [15]. Regev's cryptosystem is based on the 
hardness of the learning with error problem, which can be reduced from worst- 
case (quantum) hardness of the shortest vector problem (in its decision version) . 
Thus, breaking the scheme implies an efficient algorithm for approximating the 
lattice problem in the worst-case, which is assumed to be hard even with quan- 
tum computing power. A regular public key for Regev's scheme is proven to be 
quantum-computationally indistinguishable from the case where a public key is 
chosen from the uniform distribution. In this case, the ciphertext carries essen- 
tially no information about the message [16, Lemma 5.4]. This proof of semantic 

6 For notational simplicity, the length of public keys is assumed to equal security 
parameter k. 

7 The definition is a weakening of the original notion of mixed commitments from [8], 
in that we do not require that unconditionally hiding keys are equipped with an 
equivocation trapdoor. It is also a strengthening in that we require quantum indis- 
tinguishability of the two key flavors. 
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security for Regev's cryptosystem is in fact the property we require for our com- 
mitment. 

4.2 The protocol C0MMIT pfc 

In one of our security amplifications of coin-flip protocols we will need a mixed 
commitment scheme which also provides equivocability, i.e., a simulator can open 
unconditionally hiding commitments to different values. We add equivocability 
using an interactive protocol C0MMIT p fc. Instead of equipping unconditionally hid- 
ing keys with equivocation trapdoors, we will do it by letting the equivocation 
trapdoor be the ability of the simulator to force the outcome of a coin-flip proto- 
col in the simulation. The reason for this change, as compared to [8], is that the 
notion of a mixed commitment scheme in [8] was developed for the CRS-model, 
where the simulator is free to pick the CRS and hence could pick it to be a un- 
conditionally hiding public key with known equivocation trapdoor. Here we are 
interested in the bare (CRS devoid) model and hence have to add equivocation 
in a different manner. This is one of the essential steps in bootstrapping fully 
simulatable strong coin-flipping from weak coin- flipping. 

The protocol CDMMITpfe uses a secret sharing scheme sss, described now. Let 
a be a secondary security parameter. Given message m = (mi, . . . ,m a ) G ¥ a 
and randomizer s — (si, . . . , s a ) G ¥ a , let / mjS (X) denote the unique polynomial 
of degree 2a — 1, for which f m ,s{—i + 1) = for i = 1, . . . , <7 and f m ,s(i) = s i 
for i = 1, . . . , a. Furthermore, we "fill up" positions i = a + 1, . . . , E, where 
E = 4cr, by letting S{ — / TO)S (i). The shares are now s — (si, . . . , Sz). 

We stress two simple facts about sss. First, for any message m G F CT and 
any subset S C {1, . . . , E} of size \S\ = <r, the shares s\s are uniformly random 
in F CT , when S is chosen uniformly at random in F CT and independent of to. This 
aspect is trivial for S = {1, . . . ,a}, as we defined it that way, and it extends 
to the other subsets using Lagrange interpolation. And second, if to 1 ,??! 2 G F ct 
are two distinct messages, then sss(to 1 ;s 1 ) and sss(to 2 ;s 2 ) have Hamming 
distance at least E — 2a. Again, this follows by Lagrange interpolation, since the 
polynomial f m i s i (X) has degree at most 2a— 1, and hence, can be computed from 
any 2a shares s, using Lagrange interpolation. The same holds for / m 2 s 2(X). 
Thus, if 2a shares are the same, then / m i iS i(X) and / TO 2 S 2(X) arc the same, 
which implies that the messages to 1 = / TO i jS i (—a + 1), . . . , / TO i jS i (0) and to 2 = 
/m 2 ,s 2 (-c + !),■•■, ./m 2 ,s 2 (0) are the same. 

In addition to sss, the protocol CDMMIT p fc uses a mixed commitment scheme 
commitpfc. The key generators for C0MMIT p fc are the same as for commit p fe. Fi- 
nally, COMMITpfe uses a coin-flip protocol 7r ( random > force ) which is random for the 
committer and which is enforceable against the receiver of the commitment. The 
details of COMMIT^ are given in Fig. 2. 

We first show that when (pk, sk) is generated using Q B , then COMMITp/j is ex- 
tractable. Given any commitment M = (Mi, . . . , Me), we extract xtr s fc(M) = 
(xtr sfe (Mi ),..., xtr sfc (M s )) = (si,...,s s ) = s. Assume s' = (s' lt . . . , s' s ) is 
the consistent sharing closest to s. That means that s' is the vector which is 
consistent with a polynomial / m \s'(X) of degree at most 2a — 1 and which at 
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Commitment Scheme C0MMITp k : 
Commitment Phase: 

1. Let message m £ F CT be the message. The committer samples uniformly 
random s £ F CT and computes the shares sss(m; s) — (si, . . . , ss), where 
Si e F. 

2. He computes COMMIT pk (m, (s, r)) = (Mi, . . . , M s ) , where M; = 
commit p fe (s;, n) for randomness r = (n, . . . , rs). 

3. The committer sends (Mi, . . . , Ms). 

Opening Phase: 

1. The committer sends the shares s = (si, . . . , ss) to the receiver. 

2. If the shares are not consistent with a polynomial of degree at most 2a — 1, 
the receiver aborts. 

3. The parties run 7r ( random . force ) to generate a uniformly random subset S C 
{1,...,E} of size \S\ = a. 

4. The committer sends r\s. 

5. The receiver verifies that Mi = commit v u (s%,Ti) for all i € S. If the test 
fails, he aborts. Otherwise, he computes the message m £ W consistent 
with s. 

Figure 2. The Commitment Scheme C0MMIT pfc . 



the same time differs from s in the fewest positions. Note that we can find s' in 
poly-time when using a Reed Solomon code, which has efficient minimal distance 
decoding. We then interpolate the polynomial /m',s'( x )> let m' = f m ',s'{—a + 
1), . . . , / m /, a '(0), and let xtr sfe (M) = ml . Any other sharing s" = (s'{, . . . , s'^) 
must have Hamming distance at least 2cr to s'. Now, since s is closer to s' than 
to any other consistent sharing, it must, in particular, be closer to s' then to s". 
This implies that s is at distance at least a to s" . 

We will use this observation for proving soundness of the opening phase. To 
determine the soundness error, assume that C0MMIT p fc does not open to the shares 
s' consistent with s. As observed, this implies that (xtr s fc(Mi), . . . , xtr s k(Ms)) 
has Hamming distance at least a to s'. However, when commit p fc is uncondition- 
ally binding, all M t can only be opened to xtr s k(Mi). From the above two facts, 
we have that there are at least a values i G {1, . . . , S} such that the receiver 
cannot open Mi to Si for i G S. Since S — 4<t, these a bad indices (bad for a 
dishonest sender) account for a fraction of \ of all points in {1, . . . , £}. Thus, 
the probability that none of the a points in S is a bad index is at most (j) a , 
which is negligible. Setting a = logi 2 gives a negligible error of (|) K , where n 
is the security parameter. 

We then analyze the equivocability of C0MMIT p fc. We will use the ability of the 
simulator for the committer to force the challenge S as the simulator's trapdoor. 
It will simply pick 5* uniformly at random before the simulation and prepare for 
this particular challenge. The details are given in Fig. 3. We omit an analysis 
here but refer to Section 5.2, where the construction will be further discussed. 
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Simulating COMMlT pfe with Trapdoor S: 

1. 5 gets as input a uniformly random subset S C {1, . . . , £} of size a and an 
initial message m <=¥" . 

2. S commits honestly to m € F CT by M = COMMIT^ (m, (s,r)) , as specified in 
the commitment phase. 

3. 5 is given an alternative message rh € F CT , i.e., the aim is opening M to fh. 

4. S lets sjs be the a messages committed to by M\s- Then it interpolates the 
unique polynomial fm,s of degree at most 2a — 1 for which fm,s(i) = s« for 
i £ S and for which fm,s(—i + 1) = rrij for i = 1, . . . , u. Note that this is 
possible, as we have exactly 2u points which restrict our choice of fm,s- S 
sends s = (/m, 3 (l), . - - , /m,s(-£)) to the receiver. 

5. The parties run 7r ( random . force ) anc j 5 forces the outcome S. 

6. For all i £ S, the sender opens Mi to /m,s(i). This is possible, since fm,s(i) = s» 
is exactly the message committed to by Mi when i G 5. 

Figure 3. The Ideal- World Simulation of C0MMIT pfe . 



5 Amplification Theorems for Strong Coin-Flipping 



We now propose and prove theorems, which allow us to amplify the security 
strength of coins. Ultimately, we aim at constructing a strong coin-flip protocol 
^(force, force) w j^j 1 outcomes of any polynomial length I in A from a weaker coin- 
flip protocol 7r ( force > uncont ) f ^-bit-strings, where k is the key length of the mixed 
commitment scheme. We do this in two steps. We first show how to implement 
^(force^random) for ^_bit-strings (for any polynomial i) given ^(force.uncont) f or K _ bit _ 
strings, and we then show how to implement 7r' f orce > f orce ) for poly-long bit-strings 
given 7r ( force ' random ) f or poly-long bit-strings. 

The ability to amplify ^(frce.uncont) for K _bit-strings to ^(f^ce.force) for poly _ 
bit-string is of course only interesting, if there exists such a candidate. We do 
not know of any protocol with flavor (force, uncont) but not (force, random). 
However, we consider it as a contribution in itself to find the weakest security 
notion for coin-flipping that allows to amplify to the final strong (force, force) 
notion using a constant-round reduction. 

A candidate for n ( iorce ^ andom ) w ith one- bit outcomes is the protocol in [7], 
which is — in terms of this context — enforceable against one side in poly-time 
and random on the other side, with empty event E according to Definition 4, 
and the randomness guarantee even withstanding an unbounded adversary. 8 The 
protocol was shown to be sequentially composable [7, 14] . Repeating the protocol 
k times in sequence gives a protocol 7r ( force < random ) f or K-bit-strings. Note that 
this, in particular, gives a protocol 7r ( force ^ ncont ) f or K-bit-strings. 



The protocol was described and proven as 7r ( random . force ) ] but due to the symmetric 
coin- flip definitions here, we can easily switch sides between A and B. 
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5.1 Prom (force, uncont) to (force, random) 

Assume that we are given a protocol tt^ 1 orce > uncont ) j that only guarantees that Bob 
cannot force the coin to hit a negligible subset (except with negligible probabil- 
ity). We now amplify the security on Bob's side from uncontrollable to random 
and therewith obtain a protocol 7r ( force ^ random ) j i n which Bob cannot enforce a 
non-uniformly random output string, except by letting the protocol fail on some 
occasions. The stronger protocol 7r ( force < random ) j s given in Fig. 4, where commit p fc 
is the basic mixed commitment scheme as described in Section 4.1. Correctness 
of ^(forc^rand " 1 ) j s obvious by inspection of the protocol. 



Protocol 7r (*°"«.«"'*>"0 : 

1. A and B run ,,.( f °™.™«"-«0 to produce a public key pk G {0, 1} K . 

2. A samples a En {0, l} e , commits to it with A — commit pk (a, r) and random- 
izer r €r {0, l} e , and sends A to B. 

3. B samples b €r {0, l} £ and sends b to A. 

4. A opens A towards B. 

5. The outcome is c = a b. 

Figure 4. Amplification from (force, uncont) to (force, random). 



Theorem 1. If n (f° rce > uncont ) j s enforceable against Alice and uncontrollable 
against Bob, then protocol 1T U orc ^ rmdom ) j s enforceable against Alice and random 
for Bob. 

We sketch the basic ideas behind the proof, which can be found in greater detail 
in Appendix A. Enforceability against A follows by forcing pk to be a pk gener- 
ated as {pk, sk) 4— Qb- The simulator then uses sk to extract a from A and then 
sends the b which makes a©6 hit the desired outcome. Randomness against B fol- 
lows from the fact that only a negligible fraction of the keys pk <G {0, 1} K are not 
unconditionally hiding keys and the outcome of 7: (. 1 ° lce ^ nc ° nt ) \ s uncontrollable 
for B. 

5.2 From (force, random) to (force, force) 

We now show how to obtain a coin-flip protocol, which is enforceable against 
both parties. Then, we can also claim by Corollary 1 that this protocol is a strong 
coin-flip protocol, poly-time simulatable on both sides for the natural ideal func- 
tionality J^-cqin- The protocol 7r ( force < force ) j s described in Fig. 5 and uses the 
extended commitment construction CDMMIT p fe from Section 4.2. The protocol 
makes two calls to a subprotocol with random flavor on one side and enforce- 
ability on the other side, but where the sides are interchanged, i.e. 7r ( force > rEmdom ) 
and 7r ( random < force ) j go we simply switch the players' roles. Again, correctness of 
the protocol can be trivially checked. 
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Protocol 

1. A and B run 7^°^, random) to produce a random public key pk G {0, 

2. A computes and sends commitments COMMIT pk (a, (s,r)j = (Ai, . . . ,A^) to 
B. In more detail, A samples uniformly random a,s G F CT . She then computes 
sss(a; s) = (oi, . . . , as) and Ai — commit pk (o», r») for i = 1, . . . , E. 

3. B samples uniformly random b G {0, l} 1 and sends b to A. 

4. A sends secret shares (oi, . . . , as) to B. If (oi, . . . , as) is not consistent with 
a polynomial of degree at most (2a — 1), B aborts. 

5. A and B run w (™ d °-. f »<=«) to produce a challenge S C {1, . . . , E} of length 
\S\=a. 

6. A sends r|s to B. 

7. B checks if Ai — commit pk (ai,ri) for all i G S. If that is the case, B computes 
message a G F CT consistent with (oi, . . . , as) and the outcome of the protocol 
is c = a ffi b. Otherwise, B aborts and the outcome is c = _L . 

Figure 5. Amplification from (force, random) to (force, force). 

Theorem 2. If 7T (f° rce > rand ° m ) i s enforceable against Alice and random against 
Bob, then protocol n (f° rce J° rce ) i s enforceable against both Alice and Bob. 

We sketch the main ideas behind the proof, which can be found in greater de- 
tail in Appendix B. Enforceability against A follows by forcing pk to be a key 
pk generated as (pk,sk) «— Qb- The simulator then uses sk to extract a from 
(A\, . . . , As)- Then it sends the b that makes a © & hit the desired outcome. 
Enforceability against B follows by letting the simulator sample a uniformly 
random S and running COMMIT p k (a, (s, r)) = (A\, . . . , As) in the equivocal 
model with trapdoor S. Then the simulator waits for b and forces the outcome 
of Tr^andom.force) to be ^ which allows it to open (A 1 ,...,A S ) to the o that 

makes a b hit the desired outcome. 

6 Application: Zero-Knowledge Proof of Knowledge 

The purpose of a zero- knowledge proof of knowledge [1,10] is to verify in classical 
poly-time in the length of the instance, whether the prover's private input w is a 
valid witness for the common instance x in relation 1Z, i.e. (x, w) G 1Z. Here, we 
propose a quantum-secure construction of a zero-knowledge proof of knowledge 
based on witness encoding, which we define in the context of a simulation in 
the quantum world. The protocol is constant-round if the coin-flip protocol is 
constant-round. 

6.1 Simulatable Witness Encodings of AfV 

We first specify a simulatable encoding scheme for binary relation 1Z C {0, 1}* x 
{0, 1}*, which consists of five classical poly-time algorithms (E, D, S, J, E). Then, 
we define completeness, extractability and simulatability for such a scheme in 
terms of the requirements of our zero-knowledge proof of knowledge. 



14 



Let E : 1Z x {0,1}™ -> {0,1}" denote an encoder, such that for each 
(x, w) £ 1Z, the n-bit output e ^— i?(x, w, r') is a random encoding of w, with 
randomness r' £ {0, l} m and polynomials m(|a;|) and n(|a;|). The corresponding 
decoder D : {0, 1}* x {0, 1}™ ->• {0, 1}* takes as input an instance x £ {0, 1}* and 
an encoding e £ {0, 1}™ and outputs w ^— D(x, e) with w £ {0, 1}*. Next, let S 
denote a selector with input s £ {0,1} <T (with polynomial <t(|x|)) specifying a 
challenge, and output S(s) defining a poly-sized subset of {1, . . . , n} correspond- 
ing to challenge s. We will use S(s) to select which bits of an encoding e to reveal 
to the verifier. For simplicity, we use e s to denote the collection of bits e\s( s )- We 
denote with J the judgment that checks a potential encoding e by inspecting 
only bits e s . In more detail, J takes as input instance x £ {0,1}*, challenge 
s £ {0,l} cr and the \S(s)\ bits e s , and outputs a judgment j «— J(x,s,e s ) with 
j £ {abort, success}. Finally, the simulator is called E. It takes as input in- 
stance x £ {0, 1}* and challenge s £ {0, 1}°" and outputs a random collection of 
bits t\s( s ) E(x, s). Again for simplicity, wc let t s = t\s( s )- Then, if this set has 
the same distribution as bits of an encoding e in positions S(s), the bits needed 
for the judgment to check an encoding e can be simulated given just instance x 
(see Definition 8). 

Definition 6 (Completeness). // an encoding e <— E(x,w,r) is generated 
correctly, then success <— J(x, s, e s ) for all s £ {0, l} a . 

We will call an encoding e admissible for x, if there exist two distinct chal- 
lenges s, s' £ {0, l} a for which success <— J(x, s, e s ) and success «— J(x, s', e s >). 

Definition 7 (Extractability). If an encoding e is admissible for x, then 
(x,D(x,e)) £ K. 

We stress that extractability is similarly defined to the special soundness prop- 
erty of a classical ^-protocol, which allows to extract w from two accepting 
conversations with distinct challenges. Such a requirement would generally be 
inapplicable in the quantum setting, as the usual rewinding technique is prob- 
lematic and in particular in the context here, we cannot measure two accepting 
conversations during rewinding in the quantum world. Therefore, we define the 
stronger requirement that if there exist two distinct answerable challenges for 
one encoding e, then w can be extracted given only e. This condition works 
nicely in the quantum world, since we can obtain e without rewinding, as we 
demonstrate below. 

Definition 8 (Simulatability). For all (x,w) £ 1Z and all s £r {0,1}°", the 
distribution of e E(x,w 7 r') restricted to positions S(s) is identical to the 
distribution oft s <— E{x,s). 

To construct a simulatable witness encoding one can, for instance, start from 
the commit-and-open protocol for circuit satisfiability in [3], where the bits of 
the randomized circuit committed to by the sender is easy to see as a simulatable 
encoding of a witness being a consistent evaluation of the circuit to output 1. The 
challenge in the protocol is one bit e and the prover replies by showing either the 
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bits corresponding to some positions 5"(0) or positions S'(l). The details can be 
found in [3] . This gives us a simulatable witness encoding for any MV- relation 
TZ with cr = l, using a Karp reduction from MV to circuit simulatability. By 
repeating it a times in parallel we get a simulatable witness encoding for any a. 
For i = 1, . . . , a, compute an encoding e 1 of w and let e = (e , . . . , e 17 ). Then for 
s 6 {0, let S(s) specify that the bits S'(si) should be shown in e l and check 
these bits. Note, in particular, that if two distinct s and s' passes this judgment, 
then there exists i such that Sj ^ s-, so e % passes the judgment for both = 
and Si — 1, which by the properties of the protocol for circuit satisfiability allows 
to compute a witness w for x from e\ One can find w from e simply by trying 
to decode each e- 7 for j = 1, . . . , a and check if (x, Wj) 6 7?.. 

6.2 The Protocol 

We now construct a quantum-secure zero-knowledge proof of knowledge from 
prover A to verifier B. We are interested in the TV'P-language 
C(7Z) = {x E {0,1}* | 3w s.t. (x,w) G TZ}, where A has input x and w, and 
both A and B receive positive or negative judgment of the validity of the proof 
as output. We assume in the following that on input (x, w) £ TZ, honest A 
aborts. Unlike zero-knowledge proofs, proofs of knowledge can be modeled by 
an ideal functionality, given as J^kpkcr) in Fig. 6. J~zkpk(tz) can be thought of as 
a channel which only allows to send messages in the language £(1Z). It models 
zero-knowledge, as it only leaks instance x and judgment j but not witness w. 
Furthermore, it models a proof of knowledge, since Alice has to know and input 
a valid witness w to obtain output j = success. 



Functionality Tzkpkciz) ■ 

1. On input (x, w) from Alice, J-zkpk(tz) sets j = success if (x, w) G TZ. Otherwise, 
it sets j — abort. 

2. ^"zkpkCr) outputs (x,j) to Bob. 

Figure 6. The Ideal Functionality for a Zero-Knowledge Proof of Knowledge. 

Protocol ZKPK(7?.) is describe in Fig. 7. It is based on our fully simulatable 
coin-flip protocol 7r ( force ! force ) j which we analyze here in the hybrid model by 
invoking the ideal functionality of sequential coin-flipping twice (but with dif- 
ferent output lengths). 9 One call to the ideal functionality J^-coin with output 
length k is required to instantiate a mixed bit commitment scheme COMMIT^. 
The second call to the functionality Jv-coin produces er-bit challenges for a 
simulatable witness encoding scheme with (E, D, S, J, E) as specified in the pre- 

9 Note that in the hybrid model, a simulator can enforce a particular outcome to 
hit also when invoking the ideal coin-flip functionality. We then use Definition 5 to 
replace the ideal functionality by the actual protocol 7r ( force ' force ) . 
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vious Section 6.1. The formal proof of Theorem 3 can be found in Appendix C. 
Corollary 2 follows immediately. 

Theorem 3. For any simulatable witness encoding scheme (E,D,S,J,E), sat- 
isfying completeness, extractability, and simulatability according to Definitions 6 
- 8, and for negligible knowledge error 2~ <J , protocol ZKPK(7?.) securely implements 

•F ZKPK(TC) • 

Corollary 2. If there exist mixed commitment schemes, then we can construct 
a classical zero-knowledge proof of knowledge against any quantum adversary 
P' G *P without any set-up assumptions. 



Protocol ZKPK(ft) : 

1. A and B invoke T K -cois to get a commitment key pk € {0, 

2. A samples e <— E(x,w,r') with randomness r' € {0, l} m and commits 
position- wise to all a for i = 1, . . . , n, by computing Ei = commit p k (e», r,) 
with randomness r € {0, 1}™. She sends x and all Ei to B. 

3. A and B invoke Jv-cdin to flip a challenge s €r {0, 1} CT . 

4. A opens her commitments to all e s . 

5. If any opening is incorrect, B outputs abort. Otherwise, he outputs j 
J(x,s,e 3 ). 

Figure 7. Zero-Knowledge Proof of Knowledge. 



7 Application: Two-Party Function Evaluation 

Here, we first show that mixed commitments imply a passively secure oblivi- 
ous transfer protocol. From such a protocol it is straightforward to construct a 
protocol for any classical poly-time function with security against passive quan- 
tum adversaries [13]. We then propose a quantum-secure implementation for 
evaluating any such function with security against active quantum adversaries. 

7.1 Oblivious Transfer 

In an oblivious transfer protocol (OT), the sender A sends two messages mo and 
mi to the selector B. B can choose which message to receive, i.e. m c according 
to his choice bit c. B does not learn anything about the other message mi_ c , 
and A does not learn B's choice bit c (see Fig. 8). The protocol is correct, as 
B knows sk c and xtr s fc c (C c ) = xtr s fe c (commit p k c (m c ,r c )) = m c . Furthermore, 
it hides the other message mi_ c as commit p/ ! Cl _ c is unconditionally hiding for 
random pfci_ c , except with negligible probability. Last, the choice bit is hidden 
in the sense of quantum-computational indistinguishability between keys for the 
outer commitments, namely a key produced by Q B and a random key by Qe- 
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Protocol dt : 

1. B samples two keys pko and pk\ according to his choice bit c, i.e. he samples 
pk c as (pk c , sk c ) Q B and pki- c as pi_ c Gn- He sends (pko,pki) to A. 

2. A commits to her messages (mo, mi) by computing Co = commit p k (mo,n>) 
and Ci = commit pfej (mi,ri) . She sends (Co,Ci) to B. 

3. B computes xtr sfcc (C c ). 

Figure 8. Oblivious Transfer based on Mixed Commitments. 
7.2 The Protocol 

Based on protocol OT, we can construct a passively secure protocol for any classi- 
cal poly-time function /. Let 17^ B (x\, n, X2, r%) denote such a protocol between 
parties A and B with inputs X\ and x 2 and random strings r\ and r 2 , respectively. 
We show an implementation of the ideal functionality .F/ FE evaluating — with se- 
curity against active quantum adversaries — any classical poly-time function / 
for which there exists a classical passively secure protocol as described above. 
Functionality .F/ FE is shown in Fig. 9. 10 The implementation if^^ of J-"/ FE is 
shown in Fig. 10. Corollary 3 is proven in Appendix D. 

Corollary 3. If there exist mixed commitment schemes, then there exists a clas- 
sical implementation of for all classical poly-time functions f secure, ac- 
cording to Definitions 1 and 2. 



Functionality J"/ fe with honest players: 

On input xi from Alice and X2 from Bob, .F/ FE outputs y = f(xi, x<£) to Alice and 
Bob. 

Functionality .f/ fe . with dishonest Alice: 

1. On input xi from Alice and xi from Bob, outputs y = f(xi, X2) to Alice. 

2. It then waits to receive her second input T or 1 and outputs y or _L to Bob, 
respectively. 

Figure 9. The Ideal Functionality for Secure Function Evaluation. 



Note that y does not need to be kept secure against external observers and also 
allows the adversary to abort depending on the value of y. We stress that it is no 
restriction that we consider common outputs nor that we leak y to observers. If we 
want to compute function g(xi,X2) = (2/1,2/2) where only A (B) learns y\ (2/2), we 
evaluate the common output function y = /((xi, pi), (0:2,^2)) as follows. Public y 
contains yi ©pi and j/2 ffif>2, where pi and p2 are A's and B's uniformly random 
additional input of the same length as y\ and 2/2 ■ Thus, the common outputs are 
one-time pad encrypted using pads known only to the party who is to learn the 
result. 
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Protocol TI^b • 

1. A and B invoke T K -cain to get a commitment key pk £ {0, 1} K . 

2. A sends a random commitment X\ = commit p k (xi,fi) and B sends a ran- 
dom commitment X2 = commit p k (x2,V2) ■ Both parties use Fzxpkcr.) to give 
a zero-knowledge proof of knowledge that they know the plaintext Xi inside 
commitments Xi for i = 1, 2. 

3. A sends random commitment Si = commit p k (si, fi) for uniformly random si 
of length si = ri I , where n is the randomness she intends to use in -/l/ B . 
Similarly, B sends random commitment S2 = commit p k (s2,r2) for uniformly 
random S2 of length \s2\ = |t*2 | - Again, they use ^"zkpk(t^) to give a zero- 
knowledge proof of knowledge of Si in Si for i = 1,2. 

4. A and B invoke J>-coin twice to get uniformly random s'i and s 2 with \s'i \ — \si\ 
fori = 1,2. 

5. A lets n = si © si and B lets r2 = S2 ffi «2- 

6. A and B run 77{ b (xi, ri, X2, V2), i.e. they run the passively secure protocol on 
inputs and randomness as defined in the previous steps. 

7. Whenever A sends a message m in the execution of Ill B (xi,ri,X2,r2), she 
gives a zero-knowledge proof of knowledge of si in Si and xi in Xi, such that 
if nl B (xi, ri, X2, T2) is run on xi, ri = si © s[, and B's messages sent to A 
so far, then A would indeed send m. This is an A/'P-statement, so we can use 
-^zKPKf-R) for this proof. 

8. If III B (xi, n, X2, ^2) terminates with output y, both parties output y. 



Figure 10. Procedure for Secure Function Evaluation 
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A Proof of Theorem 1 (Enforceability and Randomness) 



Proof (Enforceability against Alice). In case of corrupted A', A' samples 
(jpk, sk) <— Gb as input. It then requests a uniformly random value h from J^-coin- 
It runs 7r ( force ^ ncont ) w ith A', in which A' enforces the outcome pk in the first 
step. When A' sends commitment A, A' uses sk to decrypt A to learn the unique 
string a that A can be opened to. A' computes b — h(&a and sends b to A'. If A' 
opens commitment A correctly, then the result \s c — a®b — a® (h® a) = h as 
desired. In case she does not open correctly, A' aborts with result _L. Otherwise, 
A' outputs whatever A' outputs. 

Since h is uniformly random and independent of A and a, it follows that 
b = h ® a is uniformly random and independent of A, exactly as in the protocol. 
Therefore, the transcript of the simulation has the same distribution as the real 
protocol, except that pk is uniform in X and not in {0, 1} K . This is, however, 
quantum-computationally indistinguishable, as otherwise, A' could distinguish 
random access to samples from X from random access to samples from {0, 1} K . 
The formal proof proceeds through a series of hybrids as described in full detail 
in the proof for Theorem 2 in Appendix B. 

The above two facts, that first we hit h when we do not abort, and sec- 
ond that the transcript of the simulation is quantum-computationally indistin- 
guishable from the real protocol, show that the resulting protocol is enforceable 
against Alice and simulatable on Alice's side for functionality J^-coik, according 
to Definition 5 combined with Theorem 5. ■ 

Proof (Randomness against Bob). For any B', pk is uncontrollable, i.e. pk € 
{0, 1} K \ X, except with negligible probability, as X is negligible in {0, 1} K . This, 
in particular, means that the commitment A is perfectly hiding the value a. 
Therefore, a is uniformly random and independent of b, and thus, h — a ® b 
is uniformly random. This proves that the resulting coin-flip is random against 
Bob, according to Definition 4. ■ 



B Proof of Theorem 2 (Enforceability) 



Proof (Enforceability against Alice). If A' is corrupted, A' samples (pk, sk) 
Gb as input and enforces -^(forc^and™) j n the first step to hit the outcome pk. It 
then requests value h from J^-coin- When A' sends commitments (A\, . . . , As), 
A' uses sk to extract a' with (a^, . . . , a' s ) — (xtr s fc(Ai), . . . ,xtr s k(Az)). A' 
then sets b = h® a', and sends & to A'. Then A' finishes the protocol honestly. 
In the following, we will prove that the transcript is quantum-computationally 
indistinguishable from the real protocol and that if c ^ _L, then c — h, except 
with negligible probability. 
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First, we show indistinguishability. The proof proceeds via a hybrid argu- 
ment. 11 Let T>° denote the distribution of the output of the simulation as de- 
scribed. We now change the simulation such that, instead of sending b = h®a', 
we simply choose a uniformly random b 6 {0,1} £ and then output the cor- 
responding h — a' b. Let V 1 denote the distribution of the output of the 
simulation after this change. Since h is uniformly random and independent of a' 
in the first case, it follows that then b = h © a' is uniformly random. Therefore, 
the change to choose a uniformly random b in the second case actually does not 
change the distribution at all, and it follows that T>° = V 1 . 

By sending a uniformly random 6, we are in a situation where we do not need 
the decryption key sk to produce V 1 , as we no longer need to know a'. So we can 
now make the further change that, instead of forcing 7r ( force > random ) to produce a 
random public key pk £ X, we force it to hit a random public key pk € {0, 1} K . 
This produces a distribution V 2 of the output of the simulation. Since V 1 and 
V 2 only differ in the key we enforce 7r ( force < random ) to hit and the simulation is 
quantum poly-time, there exists a poly-sized circuit Q, such that Q(U{X)) = 
V 1 and Q(U({0, 1} K )) = V 2 , where U{X) and W({0, denote the uniform 
distribution on X and the uniform distribution on {0, 1} K , respectively. As U(X) 
and U({0,1} K ) are quantum-computationally indistinguishable, and Q is poly- 
sized, it follows that Q(U(X)) and Q(U({0, 1} K )) are quantum-computationally 
indistinguishable, and therewith, V 1 ss £> 2 . 

A last change to the simulation is applied by running 7r ( force > random ) non _ 
estly instead of enforcing a uniformly random pk e {0,1} K . Let V 3 denote 
the distribution obtained after this change. As given in Definition 5, real runs 
of Trffor^rando" 1 ) anc j runs enforcing a uniformly random value are quantum- 
computationally indistinguishable. Using a similar argument as above, where 
Q is the part of the protocol following the run of 7r ( force > random ) ; we g e t that 
V 2 « V 3 . Finally by transitivity, it follows that V° « V 3 . The observation that 
V is the distribution of the simulation and V 3 is the actual distribution of the 
real protocol concludes the first part of the proof. 

We now argue the second part, i.e., if c ^ _L, then c — h, except with neg- 
ligible probability. This follows from extractability of the commitment scheme 
CDMMITpfc. Recall that, if pk G X, then the probability that A' can open any A to 
a plaintext different from xtr s k(A) is at most (|) CT when S is picked uniformly 
at random and independent of A. The requirement on S is however guaranteed 
(except with negligible probability) by the random flavor of the underlying proto- 
col ^(randoMorce) p roc Jucing S. This concludes the proof of enforceability against 
Alice, as given in Definition 5. I 



Briefly, a hybrid argument is a proof technique to show that two (extreme) distri- 
butions are computationally indistinguishable via proceeding through several (adja- 
cent) hybrid distributions. If all adjacent distributions are pairwise computationally 
indistinguishability, it follows by transitivity that the two end points are so as well. 
We want to point out that we are not subject to any restrictions in how to obtain 
the hybrid distributions as long as we maintain indistinguishability. 
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Proof (Enforceability against Bob). To prove enforceability against cor- 
rupted B', we construct a simulator B' as shown in Fig. 11. It is straightforward 
to verify that the simulation always ensures that c — h, if B' does not abort. How- 
ever, we must explicitly argue that the simulation is quantum-computationally 
indistinguishable from the real protocol. 



Simulation B' for ^(^.force). 

1. B' requests h from J-t-coiu and runs 7r ( force > random ) honestly with B' to produce 
a uniformly random public key pk £ {0, 

2. B' computes COMMIT v u (a', (s, r)J = (Ai, . . . , As) for uniformly random a' , s G 
F CT and sends (Ai, As) to B'. 

3. B' receives b from B'. 

4. B' computes a = b(Bh. It then picks a uniformly random subset S C {1, . . . , £} 
with \S\ = cr, and lets a'\s be the a messages committed to by A\s- Then, 
it interpolates the unique polynomial / of degree at most (2a — 1) for which 
f(i) — al for i 6 S and for which f(—i + 1) = a* for i € {1, . . . , S}\S. Finally, 
it sends to B'. 

5. During the run of ^"""aMorc.^ q' enforces the challenge S. 

6. B' sends r\s to B'. 

7. B' outputs whatever B' outputs. 

Figure 11. Simulation for Bob's force in 7r (force ' f orce) . 

Indistinguishability follows by first arguing that the probability for pk £ 
{0, 1} K \ X is negligible. This follows from X being negligible in {0, 1} K and pk 
produced with flavor random against B' by 7r ( force i random ) being uniformly random 
in {0, 1} K , except with negligible probability. 

Second, we have to show that if pk e {0, 1} K \ X, then the simulation is 
quantum-computationally close to the real protocol. This can be shown via the 
following hybrid argument. Let V° be the distribution of the output of the sim- 
ulation and let I? 1 be the distribution of the output of the simulation where 
we send all a- for all i = {1,...,S} at the end of Step (4.). Since commit- 
ments by commitpfc are unconditionally hiding in case of pk 6 {0, 1} K \ X, 
commitments by CDMMIT p fc are unconditionally hiding as well. Furthermore, 
both a' and a are uniformly random, so we obtain statistical closeness between 
(a', COMMIT p fc (a', (s, r)) ) and (a, COMMIT pk (a', (s, r)) ). Note further that distri- 
butions T> and T> 1 can be produced by a poly-sized circuit applied to either 
(a', COMMIT p fe (a', (s, r)) ) or (a, COMMIT p/ t (a', (s, r)) , it holds that 2?° w V 1 . 

Now, let V 2 be the distribution obtained by not simulating the opening via 
the trapdoor, but instead doing it honestly to the value committed to, i.e. (a', r). 
We still use the challenge S from the forced run of n (^ d ° m ^°^ ce ) though. How- 
ever, for uniformly random challenges, real runs are quantum-computationally 
indistinguishable from simulated runs, and we get V 1 w V 2 . 

Next, let V 3 be the distribution of the output of the simulation where we run 
^(random.force) honestly instead of enforcing outcome S. We then use the honestly 
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produced S' in the proof in Step (6.) instead of the enforced S. We can do this, 
as we modified the process leading to V 2 towards an honest opening without 
any trapdoor, so we no longer need to enforce a particular challenge. Under 
the assumption that 7r ( random < force ) j s enforceable against B', and observing that 
real runs are quantum-computationally indistinguishable from runs enforcing 
uniformly random outcomes, we obtain V 2 &V 3 . 

It follows by transitivity V° & V 3 , and we conclude the proof by observing 
that after our changes, the process producing T> 3 is the real protocol. This 
concludes the proof of enforceability against Bob, according to Definition 5 with 
switched sides. ■ 



C Proof of Theorem 3 (Zero-Knowledge Proof of 
Knowledge) 

Completeness is obvious. A honest party A, following the protocol with (x, w) G 
1Z and any valid encoding e, will be able to open all commitments in the positions 
specified by any challenge s. Honest Bob then outputs J(x, s, e s ) = success. 

Proof (Security against dishonest Alice). To prove security in case of cor- 
rupted A', we construct a simulator A' that simulates a run of the actual protocol 
with A' and .F ZK p K (7j\. The proof is then twofold. First, we show indistinguishabil- 
ity between the distributions of simulation and protocol. And second, we verify 
that the extractability property of the underlying witness encoding scheme (see 
Definition 7) implies a negligible knowledge error. Note that if A' sends abort 
at any point during the protocol, A' sends some input (x',w') 1Z to .Fzkpk(tc) 
to obtain output (x,j) with j = abort, and the simulation halts. Otherwise, the 
simulation proceeds as shown in Fig. 12. 



Simulation A' for ZKPK(7?.) : 

1. A' samples a random key pk along with the extraction key sk. Then it enforces 
pk as output from F K -com 

2. When A' receives x and (Ei, . . . , E n ) from A', it extracts e = 
(xtx 3 k(Ei), . . . ,xtr ak (E„)). 

3. A' completes the simulation by following the protocol honestly. If any opening 
of A' is incorrect, A' aborts. Otherwise, A' inputs (x, D(x, e)) to -F ZKP k(7j) and 
receives (x, j) back. A' outputs the final state of A' as output in the simulation. 

Figure 12. Simulation against dishonest Alice. 

Note that the only difference between the real protocol and the simulation is 
that A' uses a random public key pk sampled along with an extraction key sk, 
instead of a uniformly random pk e {0, 1} K . It then enforces ^k-cdin to hit pk. 



24 



However, by assumption on the commitment keys and by the properties of the 
ideal coin-flip functionality, the transcripts of simulation and protocol remain 
quantum-computationally indistinguishable under these changes. 

Next, we analyze the output in more detail. It is clear that whenever honest 
B would output abort in the actual protocol, also A' aborts, namely, if A' does 
deviate in the last steps of protocol and simulation, respectively. Furthermore, 
A' accepts if and only if (x, D(x, e)) £ 1Z or in other words, the judgment of the 
functionality is positive, denoted by jjr = success. 

It is therefore only left to prove that the case of jjr = abort but jj = success 
is negligible, where the later denotes the judgment of algorithm J(x, s, e s ) as in 
the protocol. In that case, we have (x, D(x, e)) ^ 1Z. This means that w is not ex- 
tractable from D(x, e), which in turn implies that (xtr s k(Ei), . . . , xtr s k(E n )) = 
e is not admissible. Thus, there are no two distinct challenges s and s', in which 
A' could correctly open her commitment to e. It follows by contradiction that 
there exists at most one challenge s which A' can answer. We produce s £ {0, l} cr 
uniformly at random, from which we obtain an acceptance probability of at most 
2 _cr . Thus, we conclude the proof with negligible knowledge error, as desired. ■ 

Proof (Security against dishonest Bob). To prove security in case of 
corrupted B', we construct simulator B' as shown in Fig. 13. Our aim is to verify 
that this simulation is quantum-computationally indistinguishable from the real 
protocol. The key aspect will be the simulatability guarantee of the underlying 
witness encoding scheme, according to Definition 8. 



Simulation B' for ZKPK(^) : 

1. B' invokes J^-com to receive a uniformly random pk. 

2. B' samples a uniformly random challenge s £ {0, 1} CT and computes t s ^~ 
E(x,s). B' then computes commitments Ei as follows: For all i £ S*(s), it 
commits to the previously sampled t a via Ei = COMMIT p t (ti, ri) . For all other 
positions i £ S (where S = {1, . . . , n} \ S(s)), it commits to randomly chosen 
values t'i £_r {0, 1}, i.e. E t = COMMIT p k (tun) . It sends x and all Ei to B'. 

3. B' forces Jv-coin to hit s. 

4. B' opens Ei to ti for all i £ S(s), i.e. to all t s . 

5. B' outputs whatever B' outputs. 

Figure 13. Simulation against dishonest Bob. 

The proof proceeds via a hybrid argument. Let T>° be the distribution of the 
simulation as described in Fig. 13. Let V 1 be the distribution obtained from 
the simulation but with the following change: We inspect -FzKPKfTC) to get a valid 
witness w for instance x, and let e 4- E(x, u>, r') be the corresponding encoding. 
Note that this is possible as a thought experiment for any adjacent distribution 
in a hybrid argument. From e we then use bits e s for the same S(s) as previously, 
instead of bits t s sampled by E(x,s). All other steps are simulated as before. 
By the simulatability of the encoding scheme (Definition 8), it holds that the 
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bits t s in V° and the bits e s in V 1 have the same distribution. Thus, we obtain 
V" = V 1 . 

We further change the simulation in that we compute the bits in all positions 
i 6 S by a of the encoding e defined in the previous step. Again, all other steps of 
the simulation remain unchanged. Let V 2 denote the new distribution. The only 
difference now is that for i g S, the commitments Ei are to the bits e; of a valid e 
and not to uniformly random bits t' v This, however, is quantum-computationally 
indistinguishable to B' for pk e# {0, 1} K , as COMMIT is quantum-computationally 
hiding towards B'. Note that pk is guaranteed to be random by an honest call 
to -F k -coin and recall that we do not have to open the commitments in these 
positions. Hence, we get that I? 1 & T> 2 . 

Note that after the two changes, leading to distributions V 1 and 2? 2 , the 
commitment step and its opening now proceed as in the actual protocol, namely, 
we commit to the bits of e <— E(x,e,r') and open the subset corresponding 
to S(s). The remaining difference to the real protocol is the enforcement of 
challenge s, whereas s is chosen randomly in the protocol. Now, let I? 3 be the 
distribution of the modified simulation, in which we implement this additional 
change of invoking Jv-coin honestly and then open honestly to the resulting 
s. Note that both processes, i.e., first choosing a random s and then enforcing 
it from Jv-coin, or invoking T a - coin honestly and receiving a random s, result 
in a uniformly random distribution on the output of Jv-cqin- Thus, we obtain 
V 2 =V 3 . 

By transitivity, we conclude that 2?° & V 3 , and therewith, that the simu- 
lation is quantum-computationally indistinguishable from the actual protocol. 



D Proof of Corollary 3 (Two-Party Function Evaluation) 

Proof (Security against dishonest Alice). If A' is corrupted, A' uses the 
proof of knowledge to learn her x\ inside commitment X\. Then A' inputs x\ to 
.F/fe as A"s input and receives y = f(x\, x 2 ). Now, A' invokes «Sjf ^ with input x\ 
and y. This, in particular, yields randomness r\ and is quantum-computationally 
indistinguishable from a real run of protocol /7^, B . Furthermore, the simulated 

transcript contains all messages sent by B. Next, A' uses the proof of knowledge 
to learn A"s s\ inside commitment Si. Then A' enforces challenge s[ such that 
s'l = Si © ri, and thereby forces A' to use r\ in the following. 

A' now runs 77^, B with A'. Whenever it is the turn of B to send a message, A' 

sends the next message obtained already by - . Whenever it is the turn of A' 

to send a message m, A' checks whether it coincides with the message obtained 
already by <S^ ( g. Note that by construction her only consistent message really 
is the message obtained previously. In case of inconsistency, A' will fail in her 
following proof of knowledge, where she must prove that m is consistent with x\ 
in Xi, si in Si, and where n = si © s[ with n obtained from S"/, - . Hence, if 
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A' does not send an inconsistent m and thereby make the protocol fail, then the 
transcript of this simulation is consistent with the previous invocation of <S/, ^. 

In that case, A' inputs T as second input to Jg FE , which outputs y as final result. 
Otherwise, the input is _L, yielding output _L from and modeling the case 
where a wrong m makes A' fail in the proof of knowledge. 

Therefore, the only difference between the simulation with J~l FE and the real 
procedure Z7^ E g^ is A"s views, simulated by <S|, - and actually produced by 

7l{, B , respectively. These views, however, are by assumption quantum-computationally 
indistinguishable. ■ 
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